canonical-isd-hackers team mailing list archive

[David Owen <david.owen@xxxxxxxxxxxxx>]

An update to the Django package just hit my Lucid dev system.  It
includes a change to the built-in CSRF middleware that will affect any
AJAXy stuff we do.  Matt Nuzum previously point this change out to me at
the project's website.

http://www.djangoproject.com/weblog/2011/feb/08/security/

The diff between the previous and new versions as packaged for Lucid is
attached.

-David

=== modified file 'usr/share/doc/python-django/changelog.Debian.gz'
Binary files old/usr/share/doc/python-django/changelog.Debian.gz	2011-02-18 16:01:33 +0000 and new/usr/share/doc/python-django/changelog.Debian.gz	2011-02-16 17:06:39 +0000 differ
=== modified file 'usr/share/pyshared/django/contrib/admin/widgets.py'
--- old/usr/share/pyshared/django/contrib/admin/widgets.py	2011-02-18 16:01:33 +0000
+++ new/usr/share/pyshared/django/contrib/admin/widgets.py	2011-02-16 17:06:40 +0000
@@ -93,7 +93,7 @@
         output = []
         if value and hasattr(value, "url"):
             output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
-                (_('Currently:'), value.url, value, _('Change:')))
+                (_('Currently:'), escape(value.url), escape(value), _('Change:')))
         output.append(super(AdminFileWidget, self).render(name, value, attrs))
         return mark_safe(u''.join(output))
 

=== modified file 'usr/share/pyshared/django/contrib/csrf/middleware.py'
--- old/usr/share/pyshared/django/contrib/csrf/middleware.py	2011-02-18 16:01:33 +0000
+++ new/usr/share/pyshared/django/contrib/csrf/middleware.py	2011-02-16 17:06:40 +0000
@@ -37,9 +37,6 @@
             if getattr(callback, 'csrf_exempt', False):
                 return None
 
-            if request.is_ajax():
-                return None
-
             try:
                 session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
             except KeyError:
@@ -48,9 +45,12 @@
 
             csrf_token = _make_token(session_id)
             # check incoming token
-            try:
-                request_csrf_token = request.POST['csrfmiddlewaretoken']
-            except KeyError:
+            request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
+            if request_csrf_token == "":
+                # Fall back to X-CSRFToken, to make things easier for AJAX
+                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
+
+            if request_csrf_token == "":
                 return HttpResponseForbidden(_ERROR_MSG)
 
             if request_csrf_token != csrf_token:

=== modified file 'usr/share/pyshared/django/contrib/csrf/tests.py'
--- old/usr/share/pyshared/django/contrib/csrf/tests.py	2011-02-18 16:01:33 +0000
+++ new/usr/share/pyshared/django/contrib/csrf/tests.py	2011-02-16 17:06:40 +0000
@@ -134,11 +134,11 @@
         req2 = CsrfMiddleware().process_view(req, csrf_exempt(self.get_view()), (), {})
         self.assertEquals(None, req2)
 
-    def test_ajax_exemption(self):
+    def test_csrf_token_in_header(self):
         """
-        Check that AJAX requests are automatically exempted.
+        Check that we can pass in the token in a header instead of in the form
         """
         req = self._get_POST_session_request()
-        req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
+        req.META['HTTP_X_CSRFTOKEN'] = _make_token(self._session_id)
         req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
         self.assertEquals(None, req2)